İşleme Grafiği

23 İşleme

Yazar SHA1 Mesaj Tarih
David Cooper
3e28db2362 Improved key generation
In the public comments to draft version of NIST Special Publication 800-208, ETSI TC CYBER WG QSC identified a multi-target attack against the method of pseudorandom key generation used in this referrence implementation. ETSI TC CYBER WG QSC suggested using the pseudorandom key generation method from SPHINCS+, however, there is still a multi-user attack against that key generation method.

This commit revises the pseudorandom key generation method by using the method from SPINCS+, but adding SEED as an input in order to protect against multi-user attacks. Since prf() only accepts 32-byte inputs, the new key generation method uses a new PRF. The resulting key generation method is sk[i] = prf_keygen(sk_seed, pub_seed || adrs).
2020-04-30 12:43:36 -04:00
Joost Rijneveld
0d019ddc9f
Change order of SK elements to match RFC
The RFC suggests root||pubseed (in algorithm 10); note that
this choice does not influence interoperability.

Thanks go to Rafael Misoczki for bringing this up.
2018-12-17 16:25:08 +01:00
Joost Rijneveld
75a42a86a6
Allow more flexible parameter selection
This also reduces some duplication between XMSS and XMSSMT
2018-09-03 16:53:45 +09:00
Joost Rijneveld
afad4fe13a
Fix typo in comments leaving root out of sk 2017-11-02 17:00:38 +01:00
Joost Rijneveld
daa4e2d6db
Rename hash functions to tweaked hashes
Since there's a tweak being introduced, this should be reflected
in the name of the functions.
2017-11-01 15:16:17 +01:00
Joost Rijneveld
fe252b8093
Move ull-byte-conversions to separate utils file 2017-11-01 14:59:33 +01:00
Joost Rijneveld
2e96b03106
Clean up and simplify hash function definitions 2017-10-31 17:21:29 +01:00
Joost Rijneveld
384b228c58
Support messages that exceed the stack size
Previous code allocated an array on the stack of mlen bytes, but
it should be possible to also sign heap-space messages. By relying
on the fact that sm and m fit the message + signature, we move
the message so that 4*n bytes of prefix can be added.
2017-10-31 17:21:27 +01:00
Joost Rijneveld
59d304027c
Let xmss_core decide on secret key size
This allows different backends to store additional state information
in the secret key while the rest of the codebase remains agnostic.

In particular, this prepares for a common xmss_core.h API for both
the standard and the BDS-traversal-based implementations.
2017-10-26 18:06:17 +02:00
Joost Rijneveld
94a92ed2b1
Make XMSS sign/open functions instances of XMSSMT
This removes a lot of code duplication.
2017-10-26 12:07:57 +02:00
Joost Rijneveld
7c6354f762
Rename parameters for readability and consistency 2017-10-24 17:51:56 +02:00
Joost Rijneveld
bbbb95e869
Fix erroneous index length for XMSSMT
This produced repeated indices when reaching 2^32 signatures.
This was introduced in 9b35b00d98
with the re-introduction of runtime parameters. Compile-time parameters
did not contain this error.
2017-10-24 17:40:21 +02:00
Joost Rijneveld
4111393912
Abstract address types into macro constants 2017-10-24 16:23:57 +02:00
Joost Rijneveld
ae49c04807
Clean up signing functions
As a result, performs various refactors that also impact the verification
function, since cleaner signing functions exposed more overlap.
2017-10-24 16:23:51 +02:00
Joost Rijneveld
d794ae30ee
Deduplicate XMSS/XMSSMT key generation 2017-10-24 12:02:42 +02:00
Joost Rijneveld
d9a9723125
Combine auth path and keygen root functions
This greatly reduces the memory comsumption of the auth path
computation, since it now also uses treehash. It prevents
duplicate code by re-using the treehash function.

A downside is that it does also pick out the authentication path
during key generation (while it is not used), but this cost is
negligible.
2017-10-24 11:53:45 +02:00
Joost Rijneveld
a9fe0e43fe
Clean up key generation 2017-10-24 09:37:49 +02:00
Joost Rijneveld
270e6cd753
Reorder ull_to_bytes parameters to group output 2017-10-23 16:19:16 +02:00
Joost Rijneveld
305bd614bb
Perform various reformatting / renaming 2017-10-23 14:10:39 +02:00
Joost Rijneveld
f3bad4a272
Simplify licensing using LICENSE file 2017-10-19 17:38:34 +02:00
Joost Rijneveld
6a8571d880
Revert to using runtime-only parameter struct
Using global defines for parameters (as seems to be typical in
academic crypto code) does not play nice with multithreading at all.
2017-10-16 12:09:07 +02:00
Joost Rijneveld
9d5884e120
Refactor for more consistent style and readability 2017-08-03 17:39:37 +02:00
Joost Rijneveld
65ee8202d8
Refactor to prepare for runtime parameters 2017-08-01 16:18:09 +02:00